Additional Materials:

Contact:

In July 2004, GAO reported that the six Department of Veterans Affairs (VA) medical centers it audited lacked a reliable property control database and effective inventory policies and procedures. In July 2007, GAO reported that continuing internal control weaknesses over IT equipment at four case study locations at VA resulted in an increased risk of theft, loss, and misappropriation of IT equipment assets. GAO's two reports included 18 recommendations to improve internal control over IT equipment. GAO was asked to perform a follow-up audit to determine (1) whether VA has made progress in implementing GAO's prior recommendations for improving internal control over IT equipment and (2) the effectiveness of VA's current internal controls to prevent theft, loss, or misappropriation of IT equipment. GAO reviewed policies and other pertinent documentation, statistically tested IT equipment inventory controls at four geographically disparate locations, and interviewed VA officials.

VA has made significant progress in addressing prior GAO recommendations to improve controls over IT equipment. Of the 18 recommendations GAO made in its two earlier reports, VA completed action on 14 recommendations, partially implemented action on 2 recommendations, and is working to address the 2 remaining open recommendations. These recommendations focused on strengthening policies and procedures to establish a framework for accountability and control of IT equipment. If effectively implemented, VA's July 2008 policy changes would address many of the control weaknesses GAO identified. Mandated early implementation of this new policy addresses user-level accountability and requirements for strengthening physical security. In addition, to determine the extent of inventory control weaknesses over its IT equipment, VA performed a departmentwide physical inventory in 2007. However, as of May 15, 2008, VA reported that it could not locate about 62,800 IT equipment items, of which 9,800 could have stored sensitive information. Because VA does not know what, if any, sensitive information resided on the equipment, potentially affected individuals could not be notified. GAO's statistical tests of IT equipment inventory controls from February through May 2008 at four locations identified continuing control weaknesses, including missing items, lack of accountability, and errors in IT equipment inventory records. Although these control weaknesses may be addressed through early implementation of the July 2008 policies, the fact that GAO identified missing items only a few months after these locations had completed their physical inventories is an indication that underlying weaknesses in accountability over IT equipment have not yet been corrected. GAO's tests identified 50 missing items, of which 34 could have stored sensitive data, but again, notifications to individuals could not be made. Further, the lack of user-level accountability and inaccurate records on status, location, and item description of IT equipment items at the four case study locations make it difficult to determine the extent to which actual theft, loss, or misappropriation of IT equipment may have occurred. In addition, the four locations had weaknesses in controls over hard drives in the property disposal process as well as physical security weaknesses at IT storage facilities. These control weaknesses present a risk that VA could lose control over new, used, and excess IT equipment and that any sensitive personal and medical information residing on hard drives in this equipment could be compromised.

Recommendations for Executive Action

Status: Closed - Implemented

Comments: In response to our recommendation, in July 2009, VA issued VA Handbook 7002 part 4 requiring that IT Custodial Officers ensure that each hard drive is marked with the equipment entry number of the host system whenever the hard drive is removed from the host system. The equipment entry numbers are to be written on the hard drives with an indelible marker at the time the hard drives are removed from the host systems. This procedure enables tracking of the hard drive to the host computer. By implementing our recommendation to develop a procedure for identifying and linking hard drives to host computers, VA has improved its accountability of IT equipment, and reduced the risk of disclosure or compromise of sensitive personal and medical information.

Recommendation: To improve accountability of IT equipment inventory and reduce the risk of disclosure or compromise of sensitive personal and medical information, the Secretary of Veterans Affairs should require the CIO, with the support of medical centers and VA headquarters organizations we tested and other VA organizations, as appropriate, to develop a procedure for identifying hard drive serial numbers with both the property identification numbers and serial numbers of host computers.

Agency Affected: Department of Veterans Affairs

Status: Closed - Implemented

Comments: In response to our recommendation, in April 2010, VA published a list of medical equipment Catalog Stock Numbers (CSNs) to be used for maintaining accountability over VA medical equipment with data storage capabilities to be included in its IT equipment inventory. The list includes six new CSNs for computers, printers, and monitors, which are utilized as part of a system of medical equipment, and their life expectancies. For example, there is a new CSN for laptop computers that are always used with MRI or CT equipment. By implementing our recommendation to develop a list of medical equipment with data storage capability that should be considered as IT equipment for inventory control purposes, VA has improved its accountability of IT medical equipment and helped safeguard those assets from theft, loss, and misappropriation.

Recommendation: To improve accountability of IT equipment inventory and reduce the risk of disclosure or compromise of sensitive personal and medical information, the Secretary of Veterans Affairs should require the CIO, with the support of medical centers and VA headquarters organizations we tested and other VA organizations, as appropriate, to develop a list of medical equipment with data storage capability that should be considered as IT equipment for inventory control purpose

Agency Affected: Department of Veterans Affairs

Status: Closed - Implemented

Comments: In response to our recommendation, in March 2010, VA issued an SOP to standardize the naming classification for IT equipment. The SOP required that fields for item name, manufacturer, and model be completed for all IT equipment. In addition, VA established a new web portal to monitor compliance with these requirements. The website provides information on IT equipment data completeness. For example, a VA staff person can view for a given facility a list of the number and percentage of items with complete information on serial number, manufacturer, and model. By implementing our recommendation to establish and implement a policy requiring development of standardized naming classification for recording IT equipment into local property inventory systems, VA has improved its accountability of IT equipment and helped safeguard those assets from theft, loss, and misappropriation.

Recommendation: To improve accountability of IT equipment inventory and reduce the risk of disclosure or compromise of sensitive personal and medical information, the Secretary of Veterans Affairs should require the CIO, with the support of medical centers and VA headquarters organizations we tested and other VA organizations, as appropriate, to establish and implement a policy requiring development of standardized naming classifications for IT equipment--including item name, manufacturer, and model--for recording IT equipment into local property inventory systems.

Agency Affected: Department of Veterans Affairs

Status: Closed - Implemented

Comments: In response to our recommendation, VA established new procedures to review property inventory records and confirm that all IT equipment is identified in the property system. In July 2009, VA issued VA Handbook 7002 with new inventory control procedures. At each facility, an IT Custodial Officer is to coordinate perpetual inventory activities and conduct an annual inventory of IT equipment items assigned a Catalog Stock Number (CSN) as well as expendable IT equipment items. Following an inventory of IT items, or whenever an IT equipment item is identified as "not accounted for", the IT Custodial Officer is to review, document and report any discrepancies identified during inventory activities. A VA IT Inventory Compliance Portal has been established to monitor the completeness of inventory data and the status of perpetual inventory efforts. By implementing our recommendation to review property inventory records and confirm that all IT equipment is identified in the property system, VA improved its accountability of IT equipment and helped safeguard those assets from theft, loss, and misappropriation.

Recommendation: To improve accountability of IT equipment inventory and reduce the risk of disclosure or compromise of sensitive personal and medical information, the Secretary of Veterans Affairs should require the CIO, with the support of medical centers and VA headquarters organizations we tested and other VA organizations, as appropriate, to review property inventory records and confirm that all IT equipment, regardless of the organizational equipment inventory listing, is identified in the property system.

Agency Affected: Department of Veterans Affairs

Status: Closed - Implemented

Comments: VA concurred with our recommendation. In March 2013, VA officials updated VA Handbook 0730/1 (currently 0730/4, the fourth version of VA Handbook 0730), Security and Law Enforcement. This update requires that temporary IT storage locations have minimum physical security requirements and that temporary IT storage locations are included in physical security inspections.

Recommendation: To improve accountability of IT equipment inventory and reduce the risk of disclosure or compromise of sensitive personal and medical information, the Secretary of Veterans Affairs should require the CIO, with the support of medical centers and VA headquarters organizations we tested and other VA organizations, as appropriate, to revise the definition of IT storage locations in VA's Handbook 0730/1, Security and Law Enforcement, to include informal IT storage locations, such as OIT work rooms, and require these locations to be included in physical security inspections.